NetBSD/pkgsrc kP8EufXprint/py-octoprint Makefile distinfo

   py-octoprint: updated to 1.11.8

   1.11.8

   Security fixes

   XSS in Suppressed Command Notifications, severity Moderate (4.6): OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.

   An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.

   See also the GitHub Security Advisory and CVE-2026-35163.

   File exfiltration possible via further parameter injection on upload endpoints, severity High (7.0): OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability was already reported as GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 but the fix provided in OctoPrint 1.11.2 turned out to be incomplete.

   The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host after an attempted server restart. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.

   See also the GitHub Security Advisory and CVE-2026-54134.

   Bug fixes

    [2 lines not shown]
VersionDeltaFile
1.19+4-6print/py-octoprint/Makefile
1.11+4-4print/py-octoprint/distinfo
+8-102 files

NetBSD/pkgsrc RQDPXmatextproc/py-wcmatch distinfo Makefile

   py-wcmatch: updated to 10.2.1

   10.2.1
   - **FIX**: Properly update project requirements to ensure usage of `bracex` 3.0.
VersionDeltaFile
1.14+4-4textproc/py-wcmatch/distinfo
1.16+3-3textproc/py-wcmatch/Makefile
+7-72 files

NetBSD/pkgsrc KVQwdsPdoc CHANGES-2026

   Updated devel/SDL3, net/icinga2
VersionDeltaFile
1.4202+3-1doc/CHANGES-2026
+3-11 files

NetBSD/pkgsrc 275J3cLnet/icinga2 distinfo Makefile

   icinga2: updated to 2.16.3

   2.16.3 (2026-07-01)

   This is a hotfix release that fixes a regression with the `Json.decode()` DSL function that was introduced in v2.16.2:
   The addition of a second argument to the internal `JsonDecode()` function unintentionally leaked into the DSL as a
   required argument. This version restores the old and intended behavior of `Json.decode()`.

   Changes

   * Restore single-argument `Json.decode()` in the DSL
   * Add the upgrading documentation for v2.15.1 again, which went missing with the v2.16.0 release
VersionDeltaFile
1.14+4-4net/icinga2/distinfo
1.29+2-2net/icinga2/Makefile
+6-62 files

NetBSD/pkgsrc OC6VNsJdevel/SDL3 distinfo Makefile

   SDL3: updated to 3.4.12

   3.4.12

   This is a stable bugfix release, with the following changes:

   Fixed an assert on Windows in SDL_SetWindowOpacity()
   Improved support for external surfaces under Wayland
   Fixed visual artifacts when switching render targets with the Vulkan renderer
   Fixed crash rendering YUV textures on NVIDIA drivers with the Vulkan renderer
   Added SDL_HINT_ENABLE_STEAM_SCREEN_KEYBOARD to customize behavior on Steam Deck and Steam Machine
   Improved support for gamepads under Emscripten
   Added hotplug detection support when using libusb for HIDAPI controllers
   Fixed flipped Xbox 360 controller axes on macOS
   Fixed truncated long text input sequences when using sdl2-compat
VersionDeltaFile
1.11+4-4devel/SDL3/distinfo
1.12+2-2devel/SDL3/Makefile
1.12+2-2devel/SDL3/PLIST
+8-83 files

NetBSD/pkgsrc XPfZB7Bdoc CHANGES-2026

   Updated databases/py-apsw, devel/py-argcomplete, devel/py-coverage, time/py-croniter
VersionDeltaFile
1.4201+5-1doc/CHANGES-2026
+5-11 files

NetBSD/pkgsrc zFMYeC3time/py-croniter distinfo Makefile

   py-croniter: updated to 6.2.3

   6.2.3 (2026-07-02)

   Features and Improvements
   - Fix quadratic expansion of comma-separated range lists for a large speed-up on expressions with many ranges.

   Bugfixes
   - Reject a zero step (e.g. ``5-5/0``) in equal and reversed cron ranges instead of silently accepting it.
   - Fix ``expand_from_start_time`` month low-bound off-by-one so stepped month ranges start on the correct month.
VersionDeltaFile
1.3+4-4time/py-croniter/distinfo
1.3+3-3time/py-croniter/Makefile
+7-72 files

NetBSD/pkgsrc TdNxR2Cdevel/py-coverage distinfo Makefile

   py-coverage: updated to 7.15.0

   Version 7.15.0 — 2026-07-02

   - Since 7.14.0, reporting commands implicitly combine parallel data files. Now
     those commands have a new option ``--keep-combined`` to retain the data files
     after combining them instead of the default, which is to delete them.
     Finishes `issue 2198`_.

   - Fix: the LCOV report would incorrectly count excluded functions as uncovered,
     as described in `issue 2205`_. This is now fixed thanks to `Martin Kuntz
     Jacobsen <pull 2206_>`_.

   - When running your program, coverage now correctly sets
     ``yourmodule.__spec__.loader`` as `strongly recommended <--loader--_>`_,
     avoiding the deprecation warning described in `issue 2208`_. Thanks, `A5rocks
     <pull 2209_>`_.

   - Fix: with Python 3.10, running with the ``-I`` (isolated mode) option didn't

    [3 lines not shown]
VersionDeltaFile
1.78+4-4devel/py-coverage/distinfo
1.92+2-2devel/py-coverage/Makefile
+6-62 files

NetBSD/pkgsrc Ehhev4Jdevel/py-argcomplete distinfo PLIST

   py-argcomplete: updated to 3.7.0

   Changes for v3.7.0 (2026-06-30)

   - Escape glob and brace metacharacters in quote_completions
   - Quote prefix passed to compgen in FilesCompleter
   - Remove deprecated easy_install script detection
   - Type hinting improvements
VersionDeltaFile
1.43+4-4devel/py-argcomplete/distinfo
1.14+1-5devel/py-argcomplete/PLIST
1.52+2-2devel/py-argcomplete/Makefile
+7-113 files

NetBSD/pkgsrc jsGHPgwdatabases/py-apsw distinfo Makefile

   py-apsw: updated to 3.53.3.0

   3.53.3.0

   pyodide (web assembly) builds are now published to pypi, thanks to version 4 of cibuildwheel.

   Async breaking changes: This SQLite release requires the database mutex for some APIs that it did not before. The following were direct values, but now must be awaited: Connection.changes() Connection.get_autocommit() Connection.in_transaction Connection.last_insert_rowid() Connection.total_changes()

   The closure extension was removed from SQLite extra by SQLite. Common table expressions are a better approach.

   Remove the logger on module unload (APSW issue 620)
VersionDeltaFile
1.64+4-4databases/py-apsw/distinfo
1.96+2-2databases/py-apsw/Makefile
+6-62 files

NetBSD/pkgsrc s0MYo0Udoc CHANGES-2026

   Updated multimedia/libva, security/sqlmap
VersionDeltaFile
1.4200+3-1doc/CHANGES-2026
+3-11 files

NetBSD/pkgsrc JhtDTsosecurity/sqlmap PLIST distinfo

   sqlmap: updated to 1.10.7

   1.10.7
   Unknown changes
VersionDeltaFile
1.22+290-10security/sqlmap/PLIST
1.32+4-4security/sqlmap/distinfo
1.47+2-2security/sqlmap/Makefile
+296-163 files

NetBSD/pkgsrc LQrXtx8multimedia/libva Makefile distinfo, multimedia/libva/patches patch-va_va__internal.h

   libva: updated to 2.24.0

   2.24.0 - 02.Jul.2026
   * va: Add VA_PICTURE_H264_NON_EXISTING flag
   * va: use secure_getenv instead of getenv in va_x11.c
   * doc: fix libva av1 link for doxygen
   * trace: dump input/output data in va_TraceProtectedSessionExecute
   * trace: Add ProtectedSession Related Log in Trace
VersionDeltaFile
1.40+6-8multimedia/libva/Makefile
1.1+14-0multimedia/libva/patches/patch-va_va__internal.h
1.29+5-4multimedia/libva/distinfo
+25-123 files

NetBSD/pkgsrc-wip de53443rust-beta options.mk

rust-beta: follow main changes

Note this packages needs to be updated to the current beta iteration.
I'll do this soon but, I'm currently AFK.
DeltaFile
+83-6rust-beta/options.mk
+83-61 files

NetBSD/src gq5Yi43usr.bin/make/filemon filemon_dev.c

   filemon_close:  FILEMON_FLUSH_IOCTL if defined
VersionDeltaFile
1.10+14-1usr.bin/make/filemon/filemon_dev.c
+14-11 files

NetBSD/src 6RR8v9Fsys/dev/ic dm9000.c

   Do not panic when frame_length > ETHER_MAX_LEN, reset the chip instead

   There is no need to panic when RX FIFO desync occurred or garbage frame
   arrived. We can recover by resetting the chip, so do that. It's the
   same recovery path the driver already used for a bad avail marker.
VersionDeltaFile
1.45+24-9sys/dev/ic/dm9000.c
+24-91 files

NetBSD/src zVRebtKsys/dev/sdmmc sdmmc_mem.c

   Do not unload bounce buffer dmamap on error during DMA read/write

   Discovered when hacking on jzmmc.

   The two functions: sdmmc_mem_single_segment_dma_write_block and
   sdmmc_mem_single_segment_dma_read_block are not the owners of bounce
   buffer dmamap and have no business in unloading it.

   This caused bus_dmamap_sync: bad offset panic during DMA on non-coherent
   CPU cores.

   Note that this particular code path (bounce buffers) is generally not
   well exercised on mainstream platforms, which caused the bug to get
   unnoticed.
VersionDeltaFile
1.80+2-4sys/dev/sdmmc/sdmmc_mem.c
+2-41 files

NetBSD/pkgsrc vfywKXYmath/cvc5 Makefile

   Add LD_LIBRARY_PATH to testing instruction.

   This improves success rate to 99%.

   $ export LD_LIBRARY_PATH=$(pwd)/src:$(pwd)/src/parser:$(pwd)/src/main
   $ ctest -j32
   ...
   99% tests passed, 1 tests failed out of 4291

   Label Time Summary:
   api capi      =   0.18 sec*proc (7 tests)
   api cppapi    =   4.69 sec*proc (70 tests)
   regress0      = 815.38 sec*proc (2540 tests)
   regress1      = 709.94 sec*proc (1468 tests)
   regress2      = 211.87 sec*proc (145 tests)
   regress3      = 1082.17 sec*proc (51 tests)
   regress4      = 663.37 sec*proc (10 tests)

   Total Test time (real) = 347.30 sec

    [6 lines not shown]
VersionDeltaFile
1.2+4-3math/cvc5/Makefile
+4-31 files

NetBSD/pkgsrc dBPsHhsdoc CHANGES-2026

   Added math/cvc5 version 1.3.4.
VersionDeltaFile
1.4199+2-1doc/CHANGES-2026
+2-11 files

NetBSD/pkgsrc 2e6Pnkjmath Makefile

   Add cvc5.
VersionDeltaFile
1.641+2-1math/Makefile
+2-11 files

NetBSD/pkgsrc LgXNqbKmath/cvc5 Makefile PLIST

   Initial import of math/cvc5 version 1.3.4.

   An efficient open-source automatic theorem prover for Satisfiability
   Modulo Theories (SMT) problems. It can be used to prove the
   satisfiability (or, dually, the validity) of first-order formulas
   with respect to (combinations of) a variety of useful background
   theories.
VersionDeltaFile
1.1+38-0math/cvc5/Makefile
1.1+21-0math/cvc5/PLIST
1.1+5-0math/cvc5/DESCR
1.1+5-0math/cvc5/distinfo
+69-04 files

NetBSD/pkgsrc-wip 6a08541spice-vdagent TODO

spice-vdagent: Add reference to CVE-2026-5796[56]
DeltaFile
+2-0spice-vdagent/TODO
+2-01 files

NetBSD/pkgsrc-wip b9e7f26py-patool TODO

py-patool: Add reference to CVE-2026-29509
DeltaFile
+2-0py-patool/TODO
+2-01 files

NetBSD/pkgsrc-wip 0b43d3bantlr TODO

antlr: Add references to recent CVEs
DeltaFile
+2-0antlr/TODO
+2-01 files

NetBSD/pkgsrc-wip 2f69e52shaarli TODO

shaarli: Add reference to CVE-2026-4882[23]
DeltaFile
+2-1shaarli/TODO
+2-11 files

NetBSD/pkgsrc-wip 7e1ca08py-keras TODO

py-keras: Add reference to CVE-2026-12480
DeltaFile
+1-1py-keras/TODO
+1-11 files

NetBSD/pkgsrc-wip 57a80e8forgejo TODO

forgejo: Add reference to CVE-2026-59102
DeltaFile
+1-1forgejo/TODO
+1-11 files

NetBSD/pkgsrc-wip 1289644electron34 TODO

electron34: Add reference to CVE-2026-54257
DeltaFile
+1-1electron34/TODO
+1-11 files

NetBSD/pkgsrc-wip 217494fdokuwiki TODO

dokuwiki: Add reference to CVE-2026-37106
DeltaFile
+1-1dokuwiki/TODO
+1-11 files

NetBSD/pkgsrc KHdhrDRdoc CHANGES-2026

   Added math/libpoly version 0.2.1.
VersionDeltaFile
1.4198+2-1doc/CHANGES-2026
+2-11 files